the murky mind of a nimble turtle

Menu

Why ssh keys are “something you know” rather than “something you have”

A credential is “something you have” if it can only be compromised by physical access. Ssh keys, like passwords, can be collected by remote attackers. When attackers gain access to your client machine (your laptop or desktop computer) they can copy your private keys and install a keystroke logger to capture your passwords. While equivalent in theory, in practice an ssh key (even passwordless) is a stronger credential than a password for several reasons:

keys cannot be brute-force cracked … passwords often can

keys never leave your client computer and so can only be compromised if your client is compromised … passwords transit the network every time you login, so they are compromised if your client, the server, or the channel are compromised